FAQ

Yes, if it is an image of a recognisable person, it is covered by the data protection rules.

Most often not.

However, in very few cases companies etc. must obtain permission from the Danish Data Protection Agency before processing personal data.

The General Data Protection Regulation (GDPR) defines "the data controller" as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing data.

The determining factor is who actually decides how the data is processed.

No, the data protection rules only concern when a public authority, private company, etc. can process personal data.

The rules do not determine whether a public authority, private company, etc. is entitled to obtain information about you.

However, other legislation may oblige you to provide your personal data in specific situations and contain consequences if you refuse to do so. 

Companies etc. may collect, register, process and disclose personal data obtained from one or more publicly available registers such as the Danish official gazette, CVR, motor vehicles securities register, etc.

There are no specific rules in the General Data Protection Regulation and the Danish Data Protection Act on the processing of such data by private companies, but in specific cases the Danish Data Protection Agency has previously assessed the lawfulness of such processing on the basis of the so-called balancing test, where the Agency has placed particular emphasis on the fact that the information comes from sources that are available to the public.

You always have the right to object to the processing of your personal data.

However, since the processing of such data most often is lawful it should be noted that your objection would only be considered justified if compelling reasons regarding your particular situation determines that the processing of your data may not take place.

If you have suffered financial loss from a processing that was in breach of the data protection rules, you may be entitled to compensation.

Financial losses resulting from violations of the data protection rules may occur, inter alia, through incorrect data processing in connection with credit information, e-commerce and employment situations.

However, the Danish Data Protection Agency cannot help you if you believe that you are entitled to compensation. Instead, you need to bring the case to the courts.

Yes. You can be punished with a fine or imprisonment for up to six months if you violate the data protection rules.

Yes. Data protection rules apply to the processing of personal data, regardless of the size of the organisation or company that carries out the processing.

.

The registration of information on members by associations is covered by the data protection rules.

It is in accordance with the data protection rules for an association to register general information such as registration date, ID information, job posts, etc. Generally, an association will also be able to register information of a more specific nature, such as information about a member’s best score, golf handicap, certificate level, etc.

As a rule, you may disclose such information within the association, e.g. in the form of a membership list in a member’s magazine that is only distributed internally within the association, or on a closed website where only members of the association have access.

However, it requires the consent of each member if you wish to publish a membership list on the open internet.

It is the opinion of the Data Protection Agency that membership of an association, regardless of the fact that this may be an uncontroversial one, such as a sports association, is a private matter.

If you send an e-mail containing information etc. to all members of the association, you must be aware of how you enter the recipients’ email addresses.

E-mail addresses of recipients of such a mass broadcast should not appear on the e-mail itself, and you should therefore place the recipients’ e-mail addresses in the bcc field of the e-mail so that the recipients cannot see other e-mail addresses than their own.

In the determination of who is the data controller for personal data in a research project, particular attention may be paid to:

• Who initiated the project?
• Who is funding the project?
• Is the researcher paid by, for example, the public authority?
• On what IT equipment will the research data be processed?
• Who has the authority of instruction in the project?
• What will happen if the researcher finds a new job – will the person concerned continue the project afterwards?
• Who can take steps to erase the personal data?
• Who participates in the project?
• How long will the research project take?

No. Data processed for the purpose of carrying out a research study of major importance to society (research data) cannot be further processed for statistical or scientific purposes.

This means that the data cannot be used for, for example, marketing, case processing or patient treatment.

Most often, yes. However, the disclosure of personal data requires compliance with the data protection rules including the legal basis for the disclosure and compliance with the basic processing rules on objectivity, necessity and proportionality.

No, the data protection rules only determine when public authorities, private companies, etc. can and may process personal data. 

The rules do not state when a public authority, private company, etc. is obliged to provide personal data to others.

There are special rules on the disclosure of information from health records etc. to a researcher for a specific health science research project in the Danish Health Act.

In certain circumstances, the Danish Patient Safety Authority must approve a transfer from medical records, etc.

You should contact the Danish Patient Safety Authority if you have any questions regarding this matter.

The data protection rules must be complied to in regard to multinational research projects.

Most often, it is important to clarify where the data responsibilities are located and whether data processors are used.

The information registered for a project must be deleted when it is no longer necessary to process the data in a personally identifiable form.

The data must be deleted by the end of the survey or when the statistic has been produced. Alternatively, the information may be anonymised so that it is no longer possible to identify the data subjects, or transferred to archives according to the rules of the Danish Archive Act.

You may object to processing, e.g. publication, of information about you.

First, you must object to the private company, private individual, public authority, etc., whom has published information about you on a website.

If you have difficulty in finding out who is behind a website you may be able to look up the website in DK Hostmaster’s WHOIS database. It is a database of all registered Danish websites.

If the private company, etc., refuses to delete the data you can file a complaint to the Danish Data Protection Agency.

According to the data protection rules, you are entitled to have wrongful information about you to be corrected or deleted.

If you believe that a private company, public authority, etc. have registered incorrect information about you, you should first contact the company, the authority, etc.

If the private company, public authority etc. refuses to correct or delete the data about you, you can file a complaint to the Danish Data Protection Agency.

However, special rules apply to the public authorities. Normally, municipalities and other public authorities are obliged to keep case information in such a way that the progress of a case can be documented.

The Data Protection Agency has settled a number of cases in which information registered by a public authority could not be required to be deleted.

The authority must make note of your protests, so it can be seen in the case that you have a different opinion from the authority.

It depends on the content of the image, including where and when the image was taken, as well as the purpose of the publication. You should ask yourself whether the persons shown in the picture can reasonably feel exhibited, exploited or violated.

If you have doubts as to whether it is reasonable to publish a picture of a person, it is often appropriate to ask them.

Yes. Certain information is considered a special category of personal data. For example, information about another person's certain illness or another person's political conviction.

Normally, you may only publish such information if you have a clear consent from the individual to whom the information relates or if the individual has published the information in advance.

Information on racial or ethnic origin, political, religious or philosophical beliefs or trade union affiliation, health information or information on sexual relations or sexual orientation are considered special categories of personal data. Similarly, genetic and biometric data, with the purpose of unambiguously identifying a natural person, are considered a special category of person data.

Be aware that if what you write is very offensive, you may be violating the Danish criminal code.

The Danish Data Protection Agency supervises that authorities, private companies and other data controllers comply with the General Data Protection Regulation and the Danish Data Protection Act.

Generally, it is up to the responsible company, authority, etc. to assess whether data processing takes place within the framework of the data protection rules.

Therefore, if you believe that a public authority, private company or the like is processing information about you contrary to data protection rules, you should first contact them, get their explanation on the matter and ask them to make a decision on your request.

In the case of personal data relating to a posting on Facebook or another social media or a discussion thread at a debate forum, you should contact the person behind the notice, get their views on the case and ask them to delete or remove the information.

Subsequently, you can consider whether you still need to get the Danish Data Protection Agency’s assessment of the case.

You can only complain about the processing of information about yourself and not about others. However, you can always get someone to complain on your behalf if you give him or her the authority to do so, just as you can complain on behalf of someone else if you have the authority from him or her.

If you wish to complain about the processing of personal data in connection with a posting on Facebook or other social media or a discussion thread in a debate forum, you should contact the person behind the notice, get their views on the case and ask them to delete or remove the information.

Subsequently, you can consider whether you still need to get the Danish Data Protection Agency’s assessment of the case.

You can contact the Danish Data Protection Agency by telephone, e-mail or letter mail if you wish to be advised about your options or wish to file a complaint regarding a processing of your personal data.

The processing of personal data by the media is largely exempted from the data protection rules and the supervisory competence of the Danish Data Protection Agency.

In some cases however, the Danish Press Council may deal with a complaint.

If a number information service, such as De Gule Sider, Krak, etc., publishes information about secret telephone numbers, you should contact your telecom or the relevant number information service if you wish to stop the publication.

If you have questions or wish to object to a number information service, you should contact the Danish Energy Agency.

If you wish to complain about a case of access to documents or the disclosure of health information in accordance with the rules of the Danish Health Act, you can contact the Danish Patient Safety Authority.

If you have any questions about the processing of personal data by the courts, you should contact The Danish Court Administration for further information.

You can read more on the website of the Danish Court Administration.

If you have been exposed to identity theft, for example by another person abusing your name or social security number to take out a loan, the Danish Data Protection Agency cannot help you. Instead, you should report the matter to the police.

Private individuals may, in accordance with the Data Protection Act, process information such as personal identification numbers (CPR), if it follows from certain laws or regulations, or when the data subject has given his or her express consent.

You can ask the company to provide you with the reasons for why you are asked for a social security number, including whether the use of your personal identification number has a relevant and objective purpose, or whether it is legislation that requires the company to register your personal identification number.

However, the data protection rules only determine whether private bodies may register your social security number. The rules do not determine when a company is entitled to receive your personal identification number.

Therefore, the Danish Data Protection Agency cannot say whether, in a specific situation, it has consequences that you do not wish to consent to the registration of your personal identification number.

Generally, it is considered a sufficiently secure procedure to provide information by letter mail.

Therefore, it is not contrary to the data protection rules that a letter contains a personal identification number unless it can be read, for example in the letter pane.

Furthermore, it is a criminal offence under the Danish criminal code to break the secrecy of the mail.

You have the right to know what information a public authority, private company, etc. has registered about you electronically.

You are entitled to access the information about what personal information that is being processed, the purpose of the processing, the categories of recipients of the information and information on where the data comes from.

There are no formal requirements on how to ask for access to information. It can be done by phone, by letter or by email.

If you believe that incorrect information about you has been registered, you can contact the public authority, private company, etc., which in your opinion processes incorrect information.

It is a good idea to clearly write what information you think is wrong – and why.

You can make your enquiry by phone, by letter or by e-mail.

Once the public authority, private company, etc. has received your enquiry, they must assess whether the data should be deleted, blocked or corrected.

If they refuse to delete, block or correct the information, you can file a complaint to the Danish Data Protection Agency.

Blocking is a special marking of the data, which means that the data may continue to be stored but not otherwise processed or used. Blocking of personal data is rarely used.

Generally, the information from public authorities cannot be deleted because of special rules in the Danish Public Procurement Act and the Archive Act.

Yes. Processing of data may take place on a number of legal bases other than the data subject’s consent. The specific legal basis depends on the type of information to be processed.

Yes, consent can be withdrawn at any time.

If consent is withdrawn, the processing of data relating to the data subject must cease if the data cannot be processed on a different basis.

A withdrawal of consent does not have retroactive effect and therefore does not affect the processing of data prior to the revocation.

The controller should cease processing the data as soon as possible if the data subject withdraws his or her consent.

It is important to bear in mind that the retention of the data subject’s data is also a processing of data which therefore must be discontinued at the time of withdrawal. However, this applies only to data processed on the basis of consent, but not to data for which the processing basis is different from consent – for example, a contract between the controller and the data subject.

The data subject has the right to have his or her information deleted when a consent has been withdrawn. Even if the data subject does not request it, the controller should take a position on the question of deleting the data if the processing is based solely on consent, since there is no longer a legal ground for storing the data subject’s data.

Furthermore, if the controller has a legal ground for processing other than consent – for example, retention of data in order to comply with the rules on accounting – the processing can still take place.

First, it depends on what areas you want to monitor.

Private individuals may not carry out video surveillance of areas used for general traffic. This is regulated in the Danish Video Surveillance Act.

For other areas, however, the law does not regulate when television surveillance is allowed. For such areas, the Video Surveillance Act only has an impact on whether there is an obligation to inform about the existence of television surveillance.

In addition, TV surveillance images must be stored, deleted, etc. in accordance with data protection rules. However, data protection rules do not apply to private individuals who carry out television surveillance as part of purely personal or household activities.

An example of a purely personal or household activity is:

After repeated break-ins, a family wants to set up cameras in the garden and in the driveway of their house to get pictures of the thieves. The video surveillance is legal, as these are not areas used for ordinary traffic. The cameras must be set up so that they do not record off-site, such as the pavement. The family’s storage of the recordings is exempted from data protection rules.

However, it is important to bear in mind that television surveillance will no longer be part of purely personal or household activities if the family shares video surveillance images with someone other than the police.

Note: The Danish Data Protection Agency is not a supervisory authority in relation to the Video Surveillance Act. If you believe that there is a violation of the rules of the Video Surveillance Act, you should contact the police.

There are certain limitations on the employer’s options to make use of video surveillance of employees. The main limitations are:

• There must be an operational purpose.
• It must not violate the rights of the employees.
• An agreement must be sought with the employees.

According to the Danish criminal code, individual offices may not be surveilled without the employee’s consent.

It follows from the Danish Video Surveillance Act that the person performing surveillance of a workplace must indicate by means of a sign or by any other clear means that the area is surveilled.

In addition to the requirements of the Danish Act on Video Surveillance regarding signposting etc., the employer must give the employees and others, e.g. cleaning staff, information as required by the data protection rules. Employees must be informed, inter alia, of the purpose of the surveillance and of the cases in which the recordings will be reviewed and transmitted to the police. The information can be provided, for example, in the guidelines for the workplace or in a personnel manual.

The information must be given in advance so that new employees are notified.

Please note that the Danish Data Protection Agency is not a supervisory authority in relation to the Video Surveillance Act. If you believe that there is a violation of the rules of the Video Surveillance Act, you should contact the police.

According to the Danish Video Surveillance Act, public authorities, private companies, etc., that carry out video surveillance of places or premises to which access is generally available, or of workplaces, must provide such information by means of signs or by other means.

Notwithstanding any signposting, the General Data Protection Regulation’s rules on the right to be informed applies. This means that even if the public authority, private companies, etc. informs about video surveillance by posting signs, they must also be aware of providing information as required by the General Data Protection Regulation to the extent necessary.

The Danish Data Protection Agency is not a supervisory authority in relation to the Video Surveillance Act. If you believe that there is a violation of the rules of the Video Surveillance Act, you should contact the police

The Danish criminal code prohibits secret interception or recording of conversations between others.

The ban applies everywhere and thus applies, for example, to areas used for ordinary traffic (road, path, squares, etc.), in shops and means of transport, etc., in offices and workplaces and in private homes.

The criminal code implies that it is prohibited generally in connection with a video surveillance to listen or record audio, unless the interception or recording is with the consent of at least one of the participants in the conversation being intercepted or recorded.